|
This section shows details relevant to the secure operation of the computer. WinAudit discovers various types of data and groups these according to functionality. Computer security is a large area and the content of the report emphasises those that are of key interest. Not all information is available on all versions of Windows® and in a few cases, administrator level privileges are required to report certain items detailed below.
 Internet Software
This section lists software that is associated with Internet usage. As such, any items listed
here tend either to compromise or enhance the computer's security. The
number and type of functionality of Internet related software is large, hence this detection is not
exhaustive.
 Type
Software applications are grouped by functionality or type. This may be one of Browser, E-mail, Anti-Spyware, Anti-Virus, Firewall or Combined. Most of the popular software brands in use can be detected. Some common-sense interpretation maybe needed as software products change name, are upgraded from single applications to suites or are bundled for marketing purposes.
Name
The name of the software application as reported in the system registry.
Version
The version the software application as reported in the system registry. This may differ from the software's branding version typically used for marketing purposes.
Data Update - Note!
For applications that require regular data file updates, an attempt is to determine when this occurred. At present anti-spyware and anti-virus software are examined. Different software publishers store dates differently, so WinAudit tries to discover them by examining the system registry and files that typically change during a periodic update. This is a heuristic approach and is far from fool-proof. As such, it is a best estimate and is mainly intended to draw attention to a potential security issue. It is strongly advised to accept any date presented by the application itself in preference to that reported by WinAudit.
Open Ports
This section lists the network ports in use. This functionality requires Windows® 98 and newer. On Windows® NT4 and above, with sufficient privileges, WinAudit maps open ports to their owning processes.
Port Protocol
The type of port, either one of Transmission Control (TCP) or User Datagram (UDP) Protocols.
Local Address
These are normally 0.0.0.0, 127.0.0.1 and any the computer uses to identify itself on the network. Some administrators adopt the form 192.168.xxx.xxx .
Local Port
The port number indicates the type of data flowing between computers. As part of its normal operation a networked computer may have the following ports open:
| Name |
Number |
| File transfer |
21 |
| Sending e-mail |
25 |
| Internet web site |
80 |
| Receiving e-mail |
110 |
| Location service |
135 |
| NetBIOS name service |
137 |
| NetBIOS datagram service |
138 |
| Lightweight Directory Access Protocol |
389 |
| Secure Internet web site |
443 |
| Microsoft® Directory Services |
445 |
| DHCP Client |
546 |
| DHCP Server |
547 |
Depending a computer's role, it may have other ports open. Your system administrator will be able to identify which ports should be open and the type(s) of information flowing through them.
Caption
Combined string of the Protocol, Local Address and Local Port, e.g. TCP 127.0.0.1:135
Service Name
The type of service the local port is being used for. Pertains to privileged ports only; this is optional information and it will be displayed if a suitable name can be obtained. An example is nbsession, which signifies the NetBIOS Session Service.
Remote Address
The address to which, if any, a connection been made. Applicable to TCP ports only.
Remote Port
The port number of a remote computer to which, if any, a connection been made. Applicable to TCP ports only.
Connection State
The state of the connection. WinAudit reports many different connection states however, the ones of most interest are the LISTENING and ESTABLISHED. Applicable to TCP ports only.
Process Name
The process that has opened the port. This is either the name or full path to the executable file of the process. Available on Windows® NT4 and above with sufficient privileges.
Process ID
The numerical identifier of the process that opened the port. Available on Windows® NT4 and above with sufficient privileges.
Process Description
The description, if any, of the process that opened the port. This is embedded in the executable file by its manufacturer. Available on Windows® NT4 and above with sufficient privileges.
Process Manufacturer
The manufacturer's name, if any, of the executable file that opened the port. Available on Windows® NT4 and above with sufficient privileges.
Printer Permissions
This section shows the security on the installed printers. For each printer is displayed
a list of Trustees. For each Trustee is displayed a list of Permissions. The same Trustee may occur
multiple times. The Trustees, hence the Permissions, are reported in the order in which they are
searched by the operating system when its determines what access is granted to a given trustee.
Available on Window® NT4 and above.
Name
The name of the printer to which the permission applies.
Object Type
The Windows® operating system maintains many types of objects on which permissions can be applied.
In this context, the securable object is 'Printer'.
Trustee
The account on which permissions have been set. This is usually a group name but can be special
name such as CREATOR OWNER. In some instances, for example if the Trustee account has been deleted,
a string representation will be reported. This begins with S and is followed by a sequence of digits and hyphens
such as S-1-2-32-544. This particular string is the default Administrators group (BUILTIN\ADMINISTRATORS)
that was created when Windows was installed. For objects with no security the term 'No Trustee' will be shown.
ACE Type
ACE is an abbreviation of Access Control Entry, i.e. a set of permission for a given Trustee. The type
reported is usually Allow or Deny.
Permissions
A list of permissions that apply to the Trustee. For example, if the Trustee is Guests, the ACE type
is Allow and this list contains Print then Guests would be able to print. Typically the permsissions are shown
as common English Language words howerver, upper case strings may be reported. Their interpretation is
Object Type dependent.
ACE Flags
A list that enumerated the behaviour of this permission set. The interpretation of this list is
Object Type dependent but typically it describes how the permissions relate its parent and/or children.
Access Mask
A binary representation of the permssions that have been set on the Trustee. This is 32 characters long with the
least significant bit to the right. A one (1) indicates a permission is set. The exact meaning of each permssion
is Object Type dependent. This is the raw data from which the Permissions list is created.
Owner
The owner of the printer. This is at the securable object level, i.e. its the same for all Trustees.
Requires Window® 2000 or newer.
Security Log
On Windows® NT4 and above, an audit log is kept of certain security related operations. WinAudit examines this log and extracts those entries identified as audit failures. These entries generally arise when an operation is attempted and permission is denied. An example would be trying to read a file for which a user does not have sufficient privileges. The audit log can grow quite large, so only the twenty five (25) most recent unique entries are shown.
The entries are reported in reverse chronological order with duplicates being ignored. A maximum of 5000 entries are read in the security log to discover those that are audit failures. Accessing the security log may require special privileges depending on the security policy in effect.
Time Generated
The time at which the audit entry was posted to the security log.
Source Name
The name of the programme which generated the audit entry.
Description
A textual, and sometimes cryptic, description of the information contained in the log. WinAudit will only attempt to resolve those parts of the description that reside on the local machine.
Security Settings
This section shows various configuration settings that are related to computer security.
Item
The type of application, service or configuration to which the information pertains. One of AutoLogon, Screen Saver, User Account, All Accounts, Automatic Updates or Internet Explorer.
Name
The name of the configuration item.
Setting
The value of the configuration item. The value reported necessarily depends on the type of data. For example if the type is AutoLogon then the value will be either Yes or No to signify that this feature is enabled or disabled respectively.
AutoLogon: If enabled, at computer startup the logon screen is not shown and the logon takes place automatically using a domain/username/password combination stored in plain text in the registry.
Screen Saver: Applies to the logged on user. Shows if enabled, the timeout and if it is password protected. On newer versions of Windows® local screen saver settings can be overridden by group wide policies.
All Accounts: Windows® NT4 and above only. Shows important security settings that apply to all user accounts. Included are, 1) if users are forced to logoff out-of-hours, 2) the minimum number of characters allowed for a password, 3) the maximum allowed password age and 4) the number of historical passwords against which news ones are compared before acceptance.
Automatic Updates: Shows if Windows® is configured to perform scheduled downloads of updates. The periodicity of the schedule is shown. Requires at least Windows® 2000 with Service Pack 3 or newer.
Internet Explorer: Shows the most common security settings of Internet Explorer. The item will be one of Run Script (e.g. JavaScript), Run ActiveX®, Run Java™, Download Files, Install Desktop Items or Launch Applications.
Execute Data: Shows the programmes that are allowed to execute data. Data execution prevention is a processor based feature that monitors programmes. It is available on Windows® XP with Service Pack 2 and Windows®2003 with Service Pack 1. The programmes listed in this section have been given permission to by-pass this security check thereby giving them access to normally protected areas of memory.
Share Permissions
This section shows the security on the network shares. Note, administrative shares such as ADMIN$ are reported with No Security
hence have No Trustee assigned. Likewise, some non-adminstrative shares have no security set
and are similarly reported. These shares have usually been programatically created. Available on
Window® NT4 and above. Note, discovery of security related information requires administrative
privileges.
For a fuller description of the items, refer to the Printer Permssions section above.
Name
The name of the network share to which the permission applies.
Object Type
The Windows® operating system maintains many types of objects on which permissions can be applied.
In this context, the securable object is 'Share'.
System Restore
Windows® XP has the facility to monitor certain files so that they can be reset to a previous date. This is useful if any of these files have become corrupt or if system instability occurs after a software update. This feature requires the Windows Management Service to be running. Up to a maximum of the 50 most recent restore points are displayed.
Accessing system restore data may require administrator level privileges.
Sequence
The order in which the restore point was created. The first one is the most recent, regardless of the time setting of the computer's clock.
Creation Time
The time and date when the state of the system was saved. WinAudit attempts to display this date in yyyy-mm-dd hh:mm:ss format. It is the time of the computer's clock.
Description
A description of this particular restore point.
User Privileges
This section shows the privileges of the logged on user, i.e. the process that is running WinAudit. Windows® 95, Windows® 98 and Windows® Me do not support this functionality.
Privilege Name
The programme attempts to translate the privileges as understood by the operating system into a human readable form. On some systems, no translation may be available therefore, WinAudit presents the privilege's raw name. It will start with 'Se' and by examining it, one can usually make an intelligent guess as to the type of privilege granted.
Windows® Firewall
The Windows® Firewall was introduced with Service Pack 2 of Windows® XP. This section therefore only applies to those computers running this version of the operating system or newer.
Name
The name of an aspect of the firewall. One of Firewall Enabled, Authorised Application, Authorised Service or Authorised Port.
Setting
A description of a setting appropriate to the item in question. For example, Firewall Enabled might be Yes or No.
Firewall Enabled: Shows the state of the firewall, either Yes, No or Unknown.
Authorised Application: The name of an application that has been authorised to connect to a remote computer through the firewall. An example is Outlook Express.
Authorised Service: The name of a service that has been authorised to listen and accept incoming connections through the firewall. An example is File and Printer Sharing.
Authorised Port: A port that is authorised to be opened and to allow data to flow through it. The format is protocol:port_number:remote_address where the protocol is either TCP or UDP. If the remote address is an asterisk then the port can connect to any host. An example is TCP:80:*.
| 
